Domain user passwords are an important part of the security of your Active Directory domain. An AD system administrator can manage domain password policies using Group Policy Objects and Password Settings Objects. In this article, we’ll show you how to set up or change the password complexity policy in Active Directory.
Password complexity policy settings in Active Directory include the following options:
- Minimum password length — parameter defines the minimum number of characters that must be contained in the password;
- Password must meet complexity requirements — the parameter determines whether the password should meet complexity: do not contain the account name (no more than two characters in a row from Username or Firstname), the password must contain 3 types of characters from the following list: uppercase letters (F, G, R), lowercase letters (f, y, x), numbers (1, 2, 3), and special characters (#, @, $);
- Enforce password history — defines the number of previous passwords stored to prevent their reuse by users.
By default, the following password complexity settings are configured in the AD domain based on Windows Server 2016:
Password Complexity Parameter | Default value |
Minimum password length | 7 characters |
Password must meet complexity requirements | Enabled |
Enforce password history | 24 last password |
If a user tries to set a password that does not match the password policy in the AD domain when logging into Windows or changing the password via Ctrl+Alt+Delete, an error message will be displayed:
Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain.
In Windows Server 2008 R2+, you can use several password complexity policies.
The default password policy is enforced through the Default Domain Policy. Its settings can be changed using the Group Policy Management Console (gpmc.msc):
- Expand your forest and domain, find the Default Domain Policy, which is linked to the domain root by default;
- Select a policy and go to the Settings tab;
- You will see a report with the current password policies that apply to all Active Directory users by default;
- Let’s change the password policy complexity by increasing the minimal password length to 14 characters;
- Right-click on the policy and select Edit;
- Go to the following GPO section Computer Configuration > Policies >Windows Settings > Security Settings > Account Policies > Password Policies;
- Find the Minimum Password length parameter and open its Properties;
- Specify the value 14 in the Password must be at least field;
- Save your changes by clicking OK and closing the GPO Editor;
- At the next password change, all users will be required to set longer passwords.
Note. Learn how to activate Windows on KMS server.
Starting with the AD version in Windows Server 2008 R2, you can use personal password complexity policies for specific users or groups. This functionality is called Fine-Grained Password and Lockout Policies. The AD schema has two new object classes: Password Settings Container (PSC) and Password Setting Object (PSO).
- To create a custom password complexity policy in AD, run the Active Directory Administration Center (dsac.msc).
- Go to System > Password Settings Container and create a new Password Settings object;
- Specify a PSO and set custom password complexity settings.
- In the Direct Applies to field, add the users or groups that this PSO should apply to.
Your new password complexity settings will now apply to all users in the specified group.
You can display the current password policy settings for a specific user using PowerShell:
Get-ADUserResultantPasswordPolicy -Identity b.johnson